Analysis of Konni RAT: Stealth, Persistence, and Anti-Analysis Techniques
Contents
At Cyfirma, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations and individuals. This report provides a comprehensive analysis of Konni RAT, a sophisticated remote access Trojan (RAT) that targets Windows systems. Konni RAT employs a multi-stage attack process involving a combination of batch files, PowerShell scripts, and VBScript to exfiltrate sensitive data, maintain persistence, and execute additional payloads. Key tactics employed by Konni RAT include exploiting Windows Explorer limitations, obfuscating file paths, dynamically generating and encoding URLs, and using temporary files to erase traces of its activity. The malware efficiently exfiltrates critical data, such as system information and user files, to a remote server. Through its modular design and advanced evasion strategies, Konni RAT presents substantial risks to system security, effectively evading detection and hindering analysis efforts by defenders.
Konni RAT is a highly targeted malware strain known for …
Konni RAT is a highly targeted malware strain known for …
IoC
http://www.roofcolor.com/wp-includes/js/src/list.php?[dynamic-variable
https://www.roofcolor.com/wp-includes/js/src/list.php
http://acschoolcatering.com
https://www.acschoolcatering.com/libraries/src/inc/get.php
http://Roofcolor.com
http://www.roofcolor.com/wp-includes/js/src/upload.php
http://www.roofcolor.com/wp-includes/js/src/list.php?f=%COMPUTERNAME%.txt
https://www.roofcolor.com/wp-includes/js/src/upload.php
https://www.acschoolcatering.com/libraries/src/inc/get.php?[dynamic-variable
76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041
a19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1
c348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba
a8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791
4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c
f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24
e3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7
a2785ec65622217be80174b887b1eb06
ee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e
cae6a87fd9ab544e5ccceb38f35c201e
61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c
rule Konni_RAT
{
meta:
description = “Detects Konni RAT based on IoCs including file names, hashes, URLs, and registry keys.”
author = “CYFIRMA Research”
date = “2025-03-28”
threat_level = “High”
mal_type = “Remote Access Trojan”
strings:
$file1 = “folder.zip”
$file2 = “2024년 귀속 연말정산 안내문_세한.docx.lnk”
$file3 = “start.vbs”
$file4 = “disappear.cab”
$file5 = “32791673.bat”
$file6 = “40137808.bat”
$file7 = “45150722.bat”
$file8 = “92754154.bat”
$file9 = “93152588.bat”
$file10 = “96001702.bat”
$file11 = “98389791.bat”
$url1 = “https://www.acschoolcatering.com/libraries/src/inc/get.php?”
$url2 = “https://www.roofcolor.com/wp-includes/js/src/upload.php”
$url3 = “https://www.roofcolor.com/wp-includes/js/src/list.php?”
$reg_key = “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svcstart”
condition:
// Detects based on specific hashes of known files (SHA256 only)
hash.sha256(“61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c”) or
hash.sha256(“b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543”) or
hash.sha256(“76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041”) or
hash.sha256(“f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24”) or
hash.sha256(“c348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba”) or
hash.sha256(“a8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791”) or
hash.sha256(“474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c”) or
hash.sha256(“ee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e”) or
hash.sha256(“e3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7”) or
hash.sha256(“4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0”) or
hash.sha256(“a19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1”) or
// Detect specific URLs
$url1 in url or
$url2 in url or
$url3 in url or
// Detect persistence mechanism in the registry
$reg_key in registry
}
https://www.roofcolor.com/wp-includes/js/src/list.php
http://acschoolcatering.com
https://www.acschoolcatering.com/libraries/src/inc/get.php
http://Roofcolor.com
http://www.roofcolor.com/wp-includes/js/src/upload.php
http://www.roofcolor.com/wp-includes/js/src/list.php?f=%COMPUTERNAME%.txt
https://www.roofcolor.com/wp-includes/js/src/upload.php
https://www.acschoolcatering.com/libraries/src/inc/get.php?[dynamic-variable
76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041
a19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1
c348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba
a8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791
4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0
b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543
474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c
f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24
e3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7
a2785ec65622217be80174b887b1eb06
ee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e
cae6a87fd9ab544e5ccceb38f35c201e
61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c
rule Konni_RAT
{
meta:
description = “Detects Konni RAT based on IoCs including file names, hashes, URLs, and registry keys.”
author = “CYFIRMA Research”
date = “2025-03-28”
threat_level = “High”
mal_type = “Remote Access Trojan”
strings:
$file1 = “folder.zip”
$file2 = “2024년 귀속 연말정산 안내문_세한.docx.lnk”
$file3 = “start.vbs”
$file4 = “disappear.cab”
$file5 = “32791673.bat”
$file6 = “40137808.bat”
$file7 = “45150722.bat”
$file8 = “92754154.bat”
$file9 = “93152588.bat”
$file10 = “96001702.bat”
$file11 = “98389791.bat”
$url1 = “https://www.acschoolcatering.com/libraries/src/inc/get.php?”
$url2 = “https://www.roofcolor.com/wp-includes/js/src/upload.php”
$url3 = “https://www.roofcolor.com/wp-includes/js/src/list.php?”
$reg_key = “HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svcstart”
condition:
// Detects based on specific hashes of known files (SHA256 only)
hash.sha256(“61ce43ea1c2ddafb23ee8ee083417fd375bbefce200f9bb48166af7c67df4d3c”) or
hash.sha256(“b81513f0f8d3db382bb8f931bf2b7a0d4f26f74cfcf60b5d889de87ef2f1d543”) or
hash.sha256(“76ee4da0af1921b820cc0913b4011bb5382edac958eb2592ee1c3a00a41c2041”) or
hash.sha256(“f1b4eb84e77e39803a0463b49b66600adb19347512354d0481568a8411b75b24”) or
hash.sha256(“c348e945e1f6123bd054277d16a39da715deed8f5a6849bc70a57913b877e2ba”) or
hash.sha256(“a8b0f9717bc16d48e55be95886500179ca4b7dad9610dd0865dbf8849901a791”) or
hash.sha256(“474978a976de1c869385d37ae422b1718918bc8cc05353a4bebb2b75846ab74c”) or
hash.sha256(“ee8e8471fbe1b7fc85508e549444893bdea7579c5032c2626abcb1356129787e”) or
hash.sha256(“e3c3981f65663c9923da9ca28c20951543ae3796bd39f86964769490b01c2bd7”) or
hash.sha256(“4c53e24db4b7858fd9d17de2bfc3d73096f41172dfcc31a807231acb97aff9d0”) or
hash.sha256(“a19b9eb292395e0d84c4a1a8eb5c88abbe0f71060cd06a436bf79da914e3e0c1”) or
// Detect specific URLs
$url1 in url or
$url2 in url or
$url3 in url or
// Detect persistence mechanism in the registry
$reg_key in registry
}